Adding a managent interface appears to break OPNsense GUI on LAN interface?

Started by miketubby, March 16, 2025, 09:40:59 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 16, 2025, 09:40:59 PM
I thought I was going mad so I have done this three times now and get the same result.

Hardware is Sophos XG210 chassis, have installed OPNsense 25.1, in UEFI mode, all boots and works fine.

XG210 has eight Ethernet ports (6 x GbE and 2 x SFP).

Out of the box OPNsense comes up with:

  igb0 -> LAN with 192.168.1.1/24
  igb1 -> WAN (no IP address yet)

I plug igb0 in to my Netgear VLAN enabled GS728TPv2 switch on the same VLAN (VLAN144) as my Win 11 PC. I add a secondary IP address to the network interface on the Win 11 PC (in this case 192.168.1.40) and I can access the OPNsense UI - this works because the PC and XG210 are on the same VLAN.

In OPNsense I add a third interface:

  igb2 -> MGMT and set the IP address to 192.168.2.1/24

I check in System > Settings > Access and it says the admin interface is defaulted to 'all interfaces'.

I have set the UI to be HTTP rather than HTTPS and I have 'Applied Settings'.

I add another secondary IP to my Win 11 PC (192.168.2.40/24) and move the cable on from the Netgear from igb0 to igb2 on teh XG210 and attempt to access http://192.168.2.1 without success (connection timeout).

If I move the cable back to igb0 I can no longer access the UI on 192.168.1.1 either.

I habe now lost UI access to OPNsense so I go to the console and use option (4) Factory reset and start again I can access the UI on 192.168.1.1.

Rinse and repeat ...


Why does adding a management interface break the UI on the LAN interface?


My specific use-case needs me to shoe-horn in OPNsense as a replacement for another firewall that has a WAN interface and where the LAN interface has eight VLANs... adding a management interface was my preference to alow both the WAN and VLANs on the LAN interface to be configured without getting locked out ;-)

Where am I going wrong?


Mike
March 16, 2025, 10:25:48 PM #1
Quote from: miketubby on March 16, 2025, 09:40:59 PMI plug igb0 in to my Netgear VLAN enabled GS728TPv2 switch on the same VLAN (VLAN144) as my Win 11 PC. I add a secondary IP address to the network interface on the Win 11 PC (in this case 192.168.1.40) and I can access the OPNsense UI - this works because the PC and XG210 are on the same VLAN.
To make sure I understood correctly: on your switch the ports your Windows machine and the XG210 are on, are both configured as VLAN144 access ports. igb0/LAN on the XG210 has the IP 192.168.1.1 and you manually set an additional IP on the Windows machine to 192.168.1.40. In that setting you can access the OPNsense WebGUI. That would make sense so far.

Btw: per default a DHCP server runs on LAN/igb0 and the Windows machine would receive an IP. If you already got another DHCP server, that may not the best setup. Two DHCP server on the same L2 link is not a good idea.

QuoteI check in System > Settings > Access and it says the admin interface is defaulted to 'all interfaces'.
But you still need a firewall rule for MGMT/igb2, default (with no rule) is blocking all. Copy the allow-all rule from LAN and adjust interface to MGMT and source to MGMT networks and then it should work.

QuoteIf I move the cable back to igb0 I can no longer access the UI on 192.168.1.1 either.
Does the Windows machine still have all the IPs you set?
Deciso DEC740
March 16, 2025, 11:47:06 PM #2
In addition to what @patient0 has mentioned, is your 192.168.2.1 in a separate vlan other than vlan144? Have you changed or set the vlans for the newly created igb2 interface in your firewall and also in switch, just like you did for vlan144 ?

After install igb0 which is your default lan comes with default rules. But, when you create a new interface igb2, you need to set firewall rules to allow when traffic moves through igb2
Print
Go Up Pages1
User actions